Recently I wrote a post about detecting JEXL injections with CodeQL. JEXL is a library that provides an interpreter for a simple expression language (EL). This time, I’ll talk about injections with Jakarta Expression Language, and how they can be found with CodeQL.Continue reading
In this post, I’ll talk about a CodeQL query for detecting JEXL Expression Language injection vulnerabilities. First, I’ll give a brief overview of expression languages in general and JEXL in particular. Next, I’ll explain what Expression Language injection is and how to prevent it. Then, I’ll describe how the CodeQL query works. In addition, I’ll show a couple of vulnerabilities that have been found by the query.
(you can also read it on Medium)Continue reading